Enabling Authorization for HDFS Web UIs

You can enforce authorization for the following HDFS web UIs: the NameNode, DataNode, and JournalNode. To do so, you must have Kerberos authentication for HTTP web consoles and Hadoop
Secure Authorization enabled. When both configurations are set, only the hdfs user can access the HDFS web UIs by default. Any other user who attempts to access the web
UI will encounter an HTTP 403 error because the user is not authorized to access the page.

For users and groups other than hdfs to access the web UIs, you must add them to hdfs-site.xml with an HDFS Service Advanced Configuration Snippet (Safety Valve).

Perform the following steps to enforce authorization for the HDFS web UIs:

Navigate to the Configurations tab and search for the following property: HDFS Service Advanced Configuration
Snippet (Safety Valve) for hdfs-site.xml.

Add the following property:

Name:dfs.cluster.administrators

Value:<comma separated list of user names and/or group names>

For example, a sample property might look like this:

Name:dfs.cluster.administrators

Value:hdfs,admin_user_milton,HTTP,hue,admin_group

These values would allow the users hdfs, admin_user_milton, HTTP, and hue
as well as the group admin_group to the following web UIs: NameNode, DataNode, and JournalNode.

If you perform the steps under Additional Configuration to restrict access to the /jmx, /stack, /conf, and
/metrics servlets, you must add the HTTP user and the Service Monitor Kerberos Principal so that Cloudera Manager can access the /jmx and /metrics
servlets.

You can view the Service Monitor Kerberos Principal by navigating to Cloudera Management Service > Configuration and searching for Role-Specific Kerberos Principal. The default Service Monitor Kerberos Principal is hue.

Save the configuration.

Restart all stale HDFS services.

Additional Configuration

For a higher level of security, you can enforce authorization for the following HDFS web UI servlets, which may contain sensitive data: /jmx, /stack, /conf, and /metrics. When you
enforce authorization for the servlets, only the users listed in the dfs.cluster.administrators property can access them.

Cloudera Manager requires access to the /jmx and /metrics servlets and uses the HTTP user as well as the Service Monitor Kerberos Principal to access them. Make sure to add both users to
dfs.cluster.administrators as described in Enabling Authorization for HDFS Web UIs.

Perform the following steps to enforce authorization for the servlets:

If this documentation includes code, including but not limited to, code examples, Cloudera makes this available to you under the terms of the Apache License, Version 2.0, including any required
notices. A copy of the Apache License Version 2.0 can be found here.